Federal medical-privacy law frustrates ID theft victims
Clinton Mikel: “Even if you can amend your record… you can’t push it out to everyone. And frankly, you likely don’t know who [to] push it out to.” Photo by Peter Baker.
Linda Weaver had two good feet when she opened her mailbox one day in 2005. So she was surprised to find a bill for the amputation of her right foot.
Weaver, who runs a horse farm in Florida, soon discovered that it wasn’t just a mix-up. According to the Los Angeles Times, her stolen identity and insurance information had been used to get surgery. She was stuck with the bill—and with a medical record full of incorrect, potentially dangerous information.
Weaver was one of a growing number of medical identity theft victims whose identity was stolen to make false health care claims. A 2013 study from the Ponemon Institute, an independent research organization in Traverse City, Michigan, that focuses on privacy and security, found the crime grew by 19 percent between 2012 and 2013. The Identity Theft Resource Center, a nonprofit working on prevention and victim assistance, said in March that medical records breaches made up 43.8 percent of all breaches reported to the federal government last year.
Medical identity theft creates some of the same financial complications as identity fraud. After Weaver convinced her insurance company that an imposter had the amputation, the insurer wouldn’t cover it. So the hospital socked Weaver with the whole bill, even after she sent a notarized photo of her feet. Collection agencies weren’t interested in Weaver’s story, so the debt kept getting resold, creating multiple false entries on her credit report. Clearing this up became a 40-hour-a-week job, Weaver told the newspaper.
But there are also health consequences to medical identity theft. An incorrect diagnosis, body weight or blood type in a victim’s health records could mislead well-meaning providers into giving inappropriate—maybe even life-threatening—care.
And unwinding a victim’s health information from a thief’s can be extremely difficult. The federal Health Insurance Portability and Accountability Act, the major health privacy law, doesn’t create a clear consumer right to correct health records.
“The way it works in practicality with providers is … you still have no right to correct information,” says Pam Dixon, executive director of the World Privacy Forum, a San Diego research group. “Under HIPAA, you have the right to make an amendment, and a physician does not have to accept that amendment.”
In fact, HIPAA has been a barrier in some cases. Providers have been known to deny patients access to records under their names because the information belongs to the thief. That’s why Weaver was denied a chance to view and correct her files at the hospital that performed the amputation. It wasn’t until she marched into the emergency room, shouting that the hospital didn’t know who its own patients were, that she got access.
Even after that, the incorrect records persisted. Two years after her false amputation, Weaver suffered a real heart attack. When she woke up in a hospital room, a nurse asked her what she takes for diabetes—which she doesn’t have.
Pam Dixon of the World Privacy Forum: “The way it works in practicality with providers is … you still have no right to correct information.” Photo courtesy of C-SPAN.
EASY TARGET
The health care industry wants to solve the problem. The Medical Identity Fraud Alliance, an umbrella group for medical, technology and consumer groups interested in fighting the problem, was formed last year. But Ann Patterson, program director of MIFA, says consumers aren’t necessarily aware of medical identity theft, even though it’s growing.
“From an identity theft standpoint, it’s the biggest type of identity theft,” she says. “If you go into the health care fraud world, it is also the fastest-growing health care fraud.”
Part of the reason, Patterson says, is that health care information is increasingly computerized—making it easier to steal large amounts of data at once. Clinton Mikel, an attorney at the Health Law Partners in Southfield, Michigan, adds that not all providers are securing electronic records, making such records the low-hanging fruit.
Another reason is that organized crime has discovered health care fraud, in which false treatment claims are submitted to insurance companies or government programs. An annual federal report on health care fraud and abuse says the FBI’s health care fraud enforcement arm nearly doubled the amount of criminal organizations it dismantled between fiscal 2010 and 2013.
Those thefts have long-lasting consequences. The most concerning may be the potential for medical mistakes created by wrong informa-tion. But false records of expensive health problems can also affect victims’ ability to get health insurance on the individual market, and sometimes their job opportunities. That was a problem for one victim, whose application to a police department was scuttled by a false mental illness diagnosis from a corrupt psychiatrist.
Unfortunately, a lack of legal tools makes correcting health records a time-consuming and frustrating task. Victims of conventional identity theft have clear rights laid out by the Fair Credit Reporting Act and other federal laws, which provide a right to contest records and a right to sue.
By contrast, HIPAA and the companion HITECH Act (Health Information Technology for Economic and Clinical Health), which incentivizes adoption of electronic health records, provide only limited patient rights. Patients have a right to know about large data breaches, see their own records and request corrections. But if the provider disagrees with corrections, it doesn’t have to make them; it can instead note that the patient disagrees. Providers also aren’t obligated to change information they received from another provider—even if it’s dangerously wrong.
To make matters worse, victims must repeat the process with each record that has wrong information—potentially scores of them. Because there’s no centralized health database in the United States, updating a record with one provider doesn’t do anything about wrong information with another. And victims may not even know of all the records because records can go to labs, hospitals and more without notice to the patient.
“If you exercise that [HIPAA] right, what does that really get you?” asks Mikel, chair of the e-Health, Privacy and Security Interest Group of the ABA’s Health Law Section. “Even if you can amend your record in some form, you can’t push it out to everyone. And frankly, you likely don’t know who you would push it out to.”
Mikel says HIPAA should not create the catch-22 problem Weaver faced, where the hospital won’t let the victim see a record under her own name because it has someone else’s information. He suggests some workers might not understand HIPAA well, particularly after 2013 updates gave the law more teeth.
But because HIPAA doesn’t create a private right to sue, pa-tients with that kind of intractable problem must use state laws. Mikel notes that there are records-breach lawsuits based on common-law or state privacy statutes.
IN LIEU OF A LAW
Despite these criticisms, there’s not a lot of lobbying for changes to HIPAA. In 2006, the World Privacy Forum called for laws expanding patients’ rights. Dixon says one major victory came when the HITECH Act required notification of data breaches involving 500 or more people. She also notes that the report inspired California lawmakers to add a data-breach notification provision to the state’s Confidentiality of Medical Information Act.
Without a law, Dixon says, some medical providers have adopted what she says is a best practice: sitting down with the victim and sorting out wrong information into a John/Jane Doe file.
As a privacy and security lawyer, Mikel thinks providers should respond by conducting the risk analysis required under HIPAA’s security rule. That means examining how they’re collecting, storing and sharing protected information to head off breaches.
Patterson says the Medical Identity Fraud Alliance isn’t advocating for health care companies to be regulated like banks, but it would like to see more awareness from both consumers and providers.
“When you go into a bank, the bank has to authenticate you before it negotiates any kind of money with you,” she says. At hospitals, “nobody’s authenticating that person. But we should be—why wouldn’t we?”
This article originally appeared in the September 2014 issue of the ABA Journal with this headline: “Unhealthy Choice: Federal medical-privacy law frustrates ID theft victims.”
